As we look back on October, Cybersecurity Awareness Month, it is important to understand the state of the legal industry and how much more can be done to increase security and awareness in general. Thanks to the ABA’s 2018 Legal Technology Report, we have listed statistics that we found to be eye-opening. Not surprisingly, the smaller the firm, the less likely it was to have a policy covering document retention, remote access, social media, personal technology and employee privacy. Moving forward, it’s important to take the lessons learned in the last month and determine where your organization is lacking cyber protection, then take action to protect your business.
Document retention cybersecurity best practices
The effect on organizations that hoard data can be catastrophic. The more personal information a company has in its possession, the more information it has to lose in a cyber attack, and the higher the financial and reputational costs. As we’ve seen in the media, breaches are happening more than ever. In addition to taking every measure possible to prevent a breach, it’s imperative to create a strategy to ensure that in the unfortunate event there is a breach, there is as little damage as possible. Incident response planning, training, and ensuring that your organization only retains the data necessary to operate your business, is key to a successful retention plan. Make sure your data retention plan takes into account any data retention laws a company may be subject to.
Remote access cybersecurity best practices
The failure of security measures when accessing networking devices, servers, desktops, or databases remotely– whether that access is through a website, application, or a direct connection by a person, can be the weak spots that will make you vulnerable to a cyber attack. Here are steps to take to make these remote connections more secure and less likely to result in a security breach.
- Be sure to change default usernames and passwords, using weak usernames and passwords, and using insecure communication protocols.
- Get visibility into who is accessing an organization’s critical systems
- Store the credentials in a locked and safe environment
- Implement live monitoring and session recording
- Deploy analytics tools
Social media cybersecurity best practices
It’s no surprise that employees are on social media often, and it’s also probable that your business is on social media as well. Social media platforms are another avenue where hackers can get in to implement a successful cyber attack. But there are ways you can keep your company’s social media safe.
- Hold security awareness training on the dangers of social media for employees
- Limit Private Company Information On Social Networks
- Some social media platforms reset privacy settings every time the platform gets updated. Since you never know when a security setting may get changed, it is vital to check these settings regularly.
- Ensure your company software is consistently updated.
- Update Connected Apps – While these apps are useful or even necessary, they are not without vulnerabilities and cyber security risks
- Close any accounts that are no longer used or have been inactive for a while, to avoid them being hacked and used to access and compromise active accounts.
Personal technology cybersecurity best practices
Smartphones and tablets have become constant companions, and hackers continually find new ways to break into them. Many people believe their iPhone or Android devices are secure by default, but in reality it is up to the user to make security configuration changes to ensure protection. There are a number of steps you can take to reduce the risks they pose as well as address related legal, privacy, and security requirements. The steps are similar to those involved with many other security issues—such as powerful program and policy creation, risk assessment, technology implementation, communication, and continuous monitoring and evaluation—but are tailored to mobile devices.
Employee privacy cybersecurity best practices
Clear policies are the key when dealing with employee privacy when it comes to monitoring employees’ digital activities in the workplace. To properly maintain cybersecurity and protect confidential information, companies need to monitor the activities of their employees more than ever. There is a delicate balance required for successful protection through employee activity tracking. You need to really consider two things:
- Reasonable efforts to find wrongdoing or carelessness that could harm the company
- Respecting employees, reasonable expectation of privacy.
The most important step employers can take to reduce the risk of inadvertently infringing on employees’ privacy rights is to have clear policies.
By the Numbers: Legal Technology Survey
- Twenty-three percent of respondents reported that their firm had been breached at some point.
- Of those reporting that they had been breached, the percentage breached generally increased with firm size until you got to large firms: 14 percent were solos, 24 percent were firms with two to nine attorneys, 24 percent were firms with 20 to 49 attorneys, 42 percent with 50 to 99 attorneys and about 31 percent with 100 or more attorneys.
- Sixty percent reported that their firms had not experienced a data breach. It is important to note that it is extremely possible that many firms experienced a breach and never detected it.
- About 9 percent of those breached notified clients, and 14 percent notified law enforcement.
- Of those breached, 41 percent reported downtime and/or loss of billable hours, 40 percent reported consulting fees for remediation of the problems, 11 percent reported loss or destruction of files and 27 percent reported replacement of hardware and/or software.
- Forty percent reported experiencing an infection with viruses/malware/spyware, with the greater number occurring in firms with two to 49 attorneys and the lowest in firms with 500 or more attorneys.
- Twenty-nine percent reported using encryption of email for confidential or privileged data sent to clients.
- Twenty-four percent reported using full-drive encryption, a low number in this day and age.
For more information on a free dark web scan and how to protect your law firm, contact the JDL team at 973-607-2140.